COCON, the Code of Conduct sourcebook, is the section of the FCA Handbook that contains the Conduct Rules applying to individuals at SMCR firms. It is distinct from SYSC (which governs firm-level systems and controls) in that its obligations are personal: a breach of COCON is a breach by an individual, not the firm, and can result in FCA disciplinary action against that person directly.
What COCON contains
COCON sets out two tiers of Conduct Rules:
Individual Conduct Rules (IC1–IC5) apply to all Conduct Rules staff, in practice almost everyone at an SMCR firm:
- IC1: act with integrity
- IC2: act with due skill, care and diligence
- IC3: be open and cooperative with the FCA, PRA and other regulators
- IC4: pay due regard to the interests of customers and treat them fairly
- IC5: observe proper standards of market conduct
Senior Manager Conduct Rules (SC1–SC4) apply additionally to approved Senior Management Function holders:
- SC1: take reasonable steps to ensure the business for which you are responsible is controlled effectively
- SC2: take reasonable steps to ensure that the business for which you are responsible complies with the relevant requirements and standards of the regulatory system
- SC3: take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively
- SC4: disclose appropriately any information of which the FCA or PRA would reasonably expect notice
COCON and NFM from September 2026
FCA Policy Statement PS25/23 introduces COCON 1.1.7FR, effective 1 September 2026, which extends COCON’s scope to cover serious non-financial misconduct (bullying, harassment and violence) at all SMCR firms. Individual Conduct Rules IC1 and IC2 can be breached through serious NFM, and SC4 creates a disclosure obligation for Senior Managers regarding private-life conduct material to their fitness assessment. See our non-financial misconduct guide.
Breach reporting
Firms must report COCON breaches to the FCA via SUP 15. Non-SMFs covering SMF roles must report breaches “as soon as practicable” following PS26/6 changes from April 2026. See our guide to SM&CR reform 2026 for the updated reporting timeline.